Configuring loggers is security-sensitive. It has led in the past to the following vulnerabilities:
Logs are useful before, during and after a security incident.
Logs are also a target for attackers because they might contain sensitive information. Configuring loggers has an impact on the type of information logged and how they are logged.
This rule flags for review code that initiates loggers configuration. The goal is to guide security code reviews.
There is a risk if you answered yes to any of those questions.
Remember that configuring loggers properly doesn't make them bullet-proof. Here is a list of recommendations explaining on how to use your logs:
This rule supports the following libraries: Log4J, java.util.logging
and Logback
// === Log4J 2 === import org.apache.logging.log4j.core.config.builder.api.ConfigurationBuilderFactory; import org.apache.logging.log4j.Level; import org.apache.logging.log4j.core.*; import org.apache.logging.log4j.core.config.*; // Sensitive: creating a new custom configuration abstract class CustomConfigFactory extends ConfigurationFactory { // ... } class A { void foo(Configuration config, LoggerContext context, java.util.Map<String, Level> levelMap, Appender appender, java.io.InputStream stream, java.net.URI uri, java.io.File file, java.net.URL url, String source, ClassLoader loader, Level level, Filter filter) throws java.io.IOException { // Creating a new custom configuration ConfigurationBuilderFactory.newConfigurationBuilder(); // Sensitive // Setting loggers level can result in writing sensitive information in production Configurator.setAllLevels("com.example", Level.DEBUG); // Sensitive Configurator.setLevel("com.example", Level.DEBUG); // Sensitive Configurator.setLevel(levelMap); // Sensitive Configurator.setRootLevel(Level.DEBUG); // Sensitive config.addAppender(appender); // Sensitive: this modifies the configuration LoggerConfig loggerConfig = config.getRootLogger(); loggerConfig.addAppender(appender, level, filter); // Sensitive loggerConfig.setLevel(level); // Sensitive context.setConfigLocation(uri); // Sensitive // Load the configuration from a stream or file new ConfigurationSource(stream); // Sensitive new ConfigurationSource(stream, file); // Sensitive new ConfigurationSource(stream, url); // Sensitive ConfigurationSource.fromResource(source, loader); // Sensitive ConfigurationSource.fromUri(uri); // Sensitive } }
// === java.util.logging === import java.util.logging.*; class M { void foo(LogManager logManager, Logger logger, java.io.InputStream is, Handler handler) throws SecurityException, java.io.IOException { logManager.readConfiguration(is); // Sensitive logger.setLevel(Level.FINEST); // Sensitive logger.addHandler(handler); // Sensitive } }
// === Logback === import ch.qos.logback.classic.util.ContextInitializer; import ch.qos.logback.core.Appender; import ch.qos.logback.classic.joran.JoranConfigurator; import ch.qos.logback.classic.spi.ILoggingEvent; import ch.qos.logback.classic.*; class M { void foo(Logger logger, Appender<ILoggingEvent> fileAppender) { System.setProperty(ContextInitializer.CONFIG_FILE_PROPERTY, "config.xml"); // Sensitive JoranConfigurator configurator = new JoranConfigurator(); // Sensitive logger.addAppender(fileAppender); // Sensitive logger.setLevel(Level.DEBUG); // Sensitive } }
Log4J 1.x is not covered as it has reached end of life.